Secure Authentication: Eliminating Possible Backdoors in Client-Server Endorsement

Communications takes place between unknown entities with no prior relationship and no common security domain. These entities are mostly based on challenge-response authentication protocol in which one party presents a “challenge” and another party must provide a valid “response” to be authenticated. The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password. This type of system suffers from weak authentication and is open with vulnerabilities. An adversary can take advantage of these vulnerabilities as backdoors. A malicious developer can modify source or binary code or insert malicious code in original source code to bypass authentication programming logic. Proposed approach eliminates these backdoors from authentication system and provides trusted authentication between parties. Authentication system has been designed which consist functions which are involved in generating verification signature and comparing challenge and response. The approach includes two steps; first, verify whether authentication system is temper proof. Second, is to separate execution of authentication system from other applications running on server. The execution of authentication system needs to be kept secure at low level where instructions are translated and memory is allocated for execution. Proposed approach reduces the possibility of return oriented programming attacks. Also it prevents authentication system from getting affected by extra parameters, global variables and malicious application running on server, and do not let authentication logic to bypass.